Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Restricting the commnads in the routers & switches


I am having a 2511 router configured as a terminal server. I telnet to the terminal server. Then I'm asked for a username. Then when I type R1 I go into router1, or if I type S1, I go into switch1. In other words, I get a reverse telnet from 2511 to the other routers and switches.

My question is, can I give access levels? I have heard of giving priviledge levels, but that is if I telnet the device straight away, not through a reverse telnet like this.

Can I restrict saying that for a certain user, only certain commands are available. Because I have a problem, some students login and delete flash.

This is in a lab that I have this setup.

Thanks in advance!

Hall of Fame Super Silver

Re: Restricting the commnads in the routers & switches


If I understand your explanation you have a 2511 acting as a terminal server in a lab environment. A student logs in to the 2511, authenticates via username and password, and then does reverse telnet to other routers and switches. Do they login on those routers and switches or do they go directly into user mode (no password required on console by default)? If they can delete flash they must be in privilege mode, so how do they get to privilege mode?

It seems to me that the most simple answer would be to configure an enable password or enable secret on the other routers and switches and to not give the enable password to the students.

Or if the students need to do some things beyond user level on these routers and switches but you want to restrict things like delete flash then you could configure the routers with privilege levels. Since the reverse telnet is connecting to the console port you could just configure the line console 0 to start sessions at some privilege level. Or you could configure the console with login local and establish a username and password with the privilege level for students and a username and password with privilege level 15 for your use.



New Member

Re: Restricting the commnads in the routers & switches

Hi Rick

Thanks a lot for your reply.

You've got it right, but there is a small difference.

Yes, I have a lab environment. Stdents telnet to the 2511. But they don't go inside / login to 2511. When they telnet to 2511, they are asked for a username. Then they enter this username. Then a reverse telnet will go to their router or the switch, depends on which username he/she entered. For example, if the student enters 'R1' he will be inside the R1. He never gets into the 2511.

Yes the students need to go to priviledge mode because it is a lab. Therefore no point in having a password in line con 0 or in enable mode. They need to configure the devices.

I don't know how to to configure it with the different priviledge levels. Can configure different priviledge levels, in my lab environment? If I can, I would appreciate it if you could let me know a URL for a document that will guide me to do this.

Note: In my 2511, I have configured the reverse telnet command like this:

interface loopback 0

ip address

interface ethernet 0

1p address

username R1 nopassword

username R1 autocommand resume / connect telnet 2001

username S1 nopassword

username S1 autocommand resume /connect telnet 2002

When the students telnet to, they see a prompt like this:


Then they enter R1 as the username, then they will be inside their R1, not 2511.

From 2511 I have octal cables connecting to these student routers and switches. The Octal cables connect to their console port. In other words, it is like students login to the student router or the switch from the console port.

Now I'm just wondering whether can I set priviledge levels in this environment.

Please advice.

Thanks in advance!

Re: Restricting the commnads in the routers & switches

Hi .. you must have a username on the R1 and S1 devices ( R1 and S1 ) on privilege 15 right ..?

You could perhaps customised level 14 on this devices by adding some of the commands from level 15 and give access to that level instead .. please see the below link whihc has some examples .. the key is the use o the privilege command.

CreatePlease to create content